COMMAND
Tektronix (Xerox)
SYSTEMS AFFECTED
Tektronix (Xerox) PhaserLink Webserver
PROBLEM
Ltlw0lf posted following. New Tektronix (Xerox) printers have
covered up a security through obscurity flaw discovered in
November, 1999 with more security through obscurity. The
unauthenticated and unfiltered administrator configuration page
on the PhaserLink webserver is now located at the URL
http://printername/_ncl_subjects.shtml
Furthermore, Tektronix has added the item "Userid:" to the printer
config page, supposidly to add more granularity (or obscurity) to
the configuration process. However, this may allow unfiltered and
unauthenticated users to discover the administrators valid userid
and password. And more, the printer's webserver cannot be turned
off using the html interface.
On November 16, 1999, we had a backdoor in the PhaserLink
Webserver for Tektronix Printers. The backdoor allowed an
attacker unfiltered and unauthenticated access to the
configuration of the printer. Many of the Tektronix printers
available at the time had this backdoor. A few days later,
another bugtraq poster discovered that this vulnerability also
allowed an unfiltered and unauthenticated user to ultimately
physically deny service on the printer by forcing it into
Emergency Power Off mode, which meant the printer would turn
itself off without properly voiding the ink or crayon reservoir.
http://oliver.efri.hr/~crv/security/bugs/Others/tronix.html
http://oliver.efri.hr/~crv/security/bugs/Others/tronix2.html
If the reservoir cooled, the ink or crayons would coagulate, and
the printer would be physically damaged.
Tektronix made things more insecure as well as using more security
through obscurity to hide the problem exposed in the first
vulnerability report. In a matter of fact, the last
communications received from by Ltlw0lf them on this issue was in
the beginning of 2000.
Tektronix apparently fixed the problem, but not in a secure
fashion. Ltlw0lf recently had the opportunity to play with
several new 850 printers. The new printers appear to have fixed
the problem, at least in a majority of the half-dozen machines he
has played with. Typing in the backdoor URL produced an Error 404
message. However, all of the webservers responded to the URL:
http:/printername/_ncl_subjects.shtml
It appears that Tektronix covered up the URL after posted the
vulnerability report by changing the URL slightly. This was
actually discovered during the testing of the printer. We noticed
that most of the pages on the server now end with the extension
.shtml. However, typing in the filename ncl_subjects.shtml
also produced an Error 404. Ltlw0lf accidently typed
_ncl_subjects.shtml at one point during the testing, and the page
popped up. So Tektronix has "secured" the webpage by adding a
"_" and an "s". This is litterally the first time we have caught
a backdoor by dumb luck, but it only took about 20 minutes of
playing. The first URL was given to us by Tektronix Technical
Support. But it definately proves that one of the three reasons
that security through obscurity fails because of pure dumb-luck.
The new URL allows the same sort of access that the previous URL
backdoor allowed. Configuration pages themselves live at the
URL's
http://printername/_ncl_items.shtml&SUBJECT=*
where "*" is the number corresponding to the particular
configuration page. Again, Tektronix has included the ability to
remotely (and unauthenticated) physically deny service to the
printer by setting the "Shutdown" option on the URL
http://printername/_ncl_items.shtml&SUBJECT=1
to "Emergency Power Off," but we have yet to find someone willing
to allow us to test this. Obviously setting "Factory Default" to
true is a much less destructive Denial of Service as it resets the
printer, but doesn't damage anything.
Tektronix has added a whole new (and very bad) wrinkle to the
HTTP config page. As previously discovered, the HTTP Config page
on 740 machines allowed users to view the administrator password
without any sort of authentication or filtering. This means that
any one on the planet can access this information and use it to
reconfigure other parts of the machine using the URL
http://printername/ncl_items.html&SUBJECT=2097
Tektronix now has both a userid and a password field available in
plain-text by typing the URL
http://printername/_ncl_items.shtml&SUBJECT=2097
This has the effect of essentially allowing an ignorant user (and
believe me, any user which has a printer outside of a firewall is
an ignorant one,) to broadcast their standard userid and password
to the world. This allows an attacker to discover a potentially
legitimate password on other computer systems, and the rest, as
they say, is history.
Furthermore, Tektronix has taken away one of the two fixes we
proposed in the last advisory. One of our suggestions for
network administrators to fix the problem was to use the "On"
switch on the
ncl_items.html&SUBJECT=2097
webpage to turn off the webserver on the printer, which apparently
turned off this backdoor quite effectively. However, while the
new printers still have this switch, the functionality of the
switch has been broken or turned off, so this option is no longer
available to network administrators. The only way to protect the
printer from attack is to put it behind a firewall.
Ltlw0lf is still playing, there may be more... This info applies
to 750DP, 850 and 930 printers so far.
SOLUTION
DO not set a default gateway for the printer's IP configuration.
This should limit the vulnerability to your own subnet.
It is highly recommended to assign private IPs to all items such
as printers, fancy fax machines, switches, etc... The only reason
to give them a public IP is conveinance. Conveinance and security
usually cancel each other out. It's hard to have one if you're big
on the other. Assign private IP subnets to the same internal
subnets that you used the public IPs on, route them internally,
and get real big on ingress/egress filtering of those RFC1918
blocks. Then only your own users can hurt you. Sure it's
not a fixall but it's usually easier to gain accountability
locally than on the 'Net at large.
Official response is that the Phaser 850 launched in Feb. 2000.
The product development cycle for a product like this is roughly 2
years and the code is usually complete many weeks before launch
to allow manufacturing ramp-up. So any expectation that the Phaser
850 would incorporate the input from Dec. '99, is not realistic.
That input, however, has been incorporated into future products.
An emergency shut-down will not cause a catastrophic failure due
to ink "coagulation". In a solid ink printer, the ink is solid at
room temperature and liquid only while heated in the printhead
[This eliminates the colorant (ink/toner) messes common in other
technologies]. Any loss of power will cause the heated ink in the
head to cool to solid form. An emergency shut-down is no different
than a power failure which the printer is designed to handle.